Presentation is loading. Please wait.

Presentation is loading. Please wait.

Swiss NREN protection with DNS RPZ

Published byAlban Peters Modified over 8 years ago

Similar presentations

Presentation on theme: "Swiss NREN protection with DNS RPZ"— Presentation transcript:

1 Swiss NREN protection with DNS RPZ
First-hand experiences after one year of productive use Matthias Seitz Amsterdam, 19th of April 2016

2 SWITCH security department
14 employees Runs SWITCH-CERT Protecting the critial infrastructure of our customers Die Sicherheitsabteilung von SWITCH ist eine der renommiertesten und best-etablierten der Schweiz. Seit nunmehr 20 Jahren erbringt sie Dienstleistungen zuhanden verschiedener Kunden. Das Computer Emergency Response Team von SWITCH (SWITCH-CERT) versteht seine Aufgabe darin Kunden im Kampf gegen Internet-Kriminelle zu unterstützen und damit schlussendlich Kosten zu sparen: Die Infrastruktur ist besser geschützt, es gibt weniger Verluste. Unsere Arbeit verstehen wir ganzheitlich: Sie umfasst alle Aspekte der IT: Von Kundensystemen über interne Informatik bis zur Unterstützung von Helpdesk Mitarbeitern. Die Mitarbeiter von SWITCH-CERT decken zusammen ein extrem breites Wissensfeld ab. CERT-Mitarbeitende sind gefragte Experten und vielen internationalen Konferenzen und Tagungen. Sie arbeiten aktive in verschiedenen staatlichen, nationalen und internationalen Organisationen mit.

3 Typical IT threats Malware infection sites, drive-by downloads
Typical IT threats Malware infection sites, drive-by downloads Botnets used for all kind of threats Phishing APT attacks Ransomware

4 DNS RPZ With RPZ, it is possible to control the answering behaviour of a recursive DNS server Firewall on DNS level Response Policy Zone Domains with custom policies: allow, drop, log A RPZ zone can be handled as any other DNS zone XFR, NOTIFY, TSIG Propagation is timely, efficient and authentic Recursive DNS server are the work horses of the DNS. The endusers are querying them

5 DNS without RPZ Malicious site c) HTTP query d) Malicious data
a) IP for malicious site? b) IP DNS resolver Enduser

6 DNS with RPZ RPZ provider Safe site c) Redirect to safe site
zones c) Redirect to safe site Notify of zone updates & incremental zone transfer a) IP for malicious site? b) NXDOMAIN / redirect RPZ zones Enduser DNS resolver

7 DNS resolver support for RPZ
DNS resolver support for RPZ Software ISC BIND >= 9.8.1 Knot Resolver (Beta) PowerDNS Recursor (experimental) Devices InfoBlox BlueCat EfficientIP As a service Verisign

8 Make or buy? Commercial RPZ vendors Own RPZs RPZ provider DissectCyber
Make or buy? Commercial RPZ vendors DissectCyber Fahrsight Security Spamhaus SURBL Internet Identity ThreatStop RPZ provider RPZ zones Trial hat ungenügend Resultate geliefert. Kommerzielle Sub-Zonen von SURBL zu ph, mw wurde für HS eingekauft. Own RPZs Input from CERT work Malicious .CH and .LI domains Partners

9 Timeline September 2013: The beginning
SWITCH internal RPZ testing Contact with NREN community February 2014: Trial with three instituitions Four RPZ providers Detection and log mechanism works Zone transfer from the providers works great Transmission of the hits work The setup is reliable Problem: no appropriate zones – no conent information

10 Timeline June 2014: Spamhaus introduces splitted RPZs
Summer 2014: Evaluating log- and monitoring solution Splunk vs ELK September 2014: Second RPZ trial Spamhaus and Farsight Security RPZs Still no appropriate zones December 2014: SURBL introduces splitted RPZs Malware and phishing RPZ

11 Timeline March 2015: Purchase of the SURBL RPZs
Decision to maintain also own SWITCH RPZs SWITCH already has DNS infrastructure, low effort June 2015: First productive customer April 2016: Established in the Swiss NREN Also None-NREN institutions are interested

12 DNSfirewall Name of the RPZ project / service at SWITCH
Service includes Zone transfer to institutions. Or the institutions can use the SWITCH resolvers. SWITCH and external RPZs Most-likely infected reports to security contacts at the institutions Web landing page for redirecting and informing the enduser Different SWITCH RPZs for customers due to licenses NREN vs. None-NREN

13 Use Case - Malware 28.04.2017 Malware specific RPZ
We know for every Domain which malware is behind it, so then an infection can be identified quite accurate From CERT internal work – Many banking related domains Malware domains from external partners

14 Use Case – Phishing Challenges

15 Report Phishing 28.04.2017 Mehrere Quellen
Auch externe Quellen wie APWG

16 SWITCH RPZs zone.mw.rpz.switch.ch zone.ph.rpz.switch.ch
Malware data Automated input from interal analysis of malicious .ch / .li domain DGAs zone.ph.rpz.switch.ch Phishing data zone.misc.rpz.switch.ch Other malicious data like adware, spyware, scams And some more..

17 Landing pages User information and awareness
Landing pages User information and awareness NXDOMAIN is not user friendly Domain access is denied because of: .. Getting more information for further analysis URL Different / individual landing pages, multiple languages Malware / Phishing landingpage German, french, italian and english Individual landing pages for institutions Feed the data into the log and monitoring system

18 Landing pages 28.04.2017 Endbenutzer Awareness
Kontakt für Feedback (FP) Zusätzliche Informationen sammeln (HTTP Request)

19 Landing pages

20 Log- and monitoring infrastructure

21 Log- and monitoring infrastructure
Splunk Easy installation, good documentation, works out of the box Expensive ELK (Elasticsearch, Logstash and Kibana) Easy installation, needs time to setup, works out of the box with a limited feature set Opensource, Support also costs money Manpower vs money

22 CERT workflow with DNSfirewall
Landing pages RPZ provider: - SWITCH - SURBL e) URL & more RPZ zones c) RPZ hit Log & monitoring system d) HTTP query & response Notify of zone updates & incremental zone transfer a) IP for malicious site? RPZ zones b) Redirect to landing page Enduser DNS resolver

23 Reporting

24 Current status In production at 15 institutions
Current status In production at 15 institutions Protecting tens of thousands endusers Many NREN insitutions are in trial mode Many malware detections Blocking malware, phishing and other threats in the Swiss NREN

25 Enduser feedback IT manager of a Swiss University “The new RPZ service runs very well. With this new service, we have detected serveral security issues at our institution. The good thing is, that we now see our IT envirnoment more clear, but of course it also produces more work.”

26 @switchcert

Download ppt "Swiss NREN protection with DNS RPZ"

Similar presentations

TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
HUIT dns/dhcp redesign and roadmap Improved dns, right size IB, modern design, linux fallback.

HUIT dns/dhcp redesign and roadmap Improved dns, right size IB, modern design, linux fallback.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Bloxx - the hard working Internet filtering appliance which locks out unproductive web material through multiple layers – in a single unit that’s easy.

Bloxx - the hard working Internet filtering appliance which locks out unproductive web material through multiple layers – in a single unit that’s easy.
Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.

Harness Your Internet Activity. DNS-Based DDoS Evolving Threat RIPE May 2015 Amsterdam Ralf Weber Bruce Van Nice.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Web Server Administration

Web Server Administration
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.

Presented by C.SARITHA ( 07R91A0568) INTRUSION DETECTION SYSYTEM.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
1 of 13 Back to Start Working Remotely Your company’s Windows SBS computer network makes it easy for you and your coworkers to work remotely—and to stay.

1 of 13 Back to Start Working Remotely Your company’s Windows SBS computer network makes it easy for you and your coworkers to work remotely—and to stay.
Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete email server protection –Spam Blocking (95+ percent) Extremely.

Barracuda Spam & Virus Firewall. Introduction to the Barracuda Spam & Virus Firewall Complete server protection –Spam Blocking (95+ percent) Extremely.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Similar presentations

Ads by Google